As an example ciphers independent of plaintext, there exist form ciphers in which the complete sequence of key symbols constitutes the key. This kind of encryption, for example, has been implemented by defense organizations. The drawback of a form cipher is that keys are comsumed at the same rate as that of the information being transmitted. Also, the keys which may be stored on a disc memory both at the transmitter end and at the receiver end of a communication channel over which ciphered information is transmitted, has to be deposited for safe-keeping.
In order to eliminate the circumstantial handling of keys when form ciphers are being used, the key sequences are often generated by use of feedback shift registers. The sequences of zeros and ones generated by such a shift register have a quality that makes them very similar to randomly generated sequences, and they are often called pseudo-random sequences. Such a sequence is completely determined by the values stored in the shift register at the start. These shift register valves are referred to in the following discussion as the "key". Thereby, the key will be very short in comparison with the key sequences generated by the shift register, thus considerably simplifying the handling of the key as compared to corresponding problems of handling the longer key sequences normally associated with a form cipher.
However, one drawback attends the use of a feedback shift register. It is too easy to break the code and decipher the enciphered information. If a part of the plaintext and the corresponding enciphered text are known, the length of which needs only be two times the length of the shift register, the key may be determined by solving a system of linear equations.
Different ways have been considered to introduce non-linear operations upon the bits in the key sequence generated by a feedback shift register in order to increase the difficulty in breaking the code. For this purpose, more than one shift register may be used for enabling the connecting together of the outputs of different registers in a non-linear way for the generation of a new key sequence to be used in modulo-2 additions of the symbols in the plaintext.
It may be proved mathematically that the key sequence generated in such a way in most cases may be generated by an equivalent linear shift register. Therefore, it is always difficult to guarantee sufficient resistance against code breaking when such methods are used.
In order to obtain a high resistance to code breaking, it is therefore necessary to use ciphers which are dependent on the plaintext. One such cipher developed by the International Business Machines Corporation (IBM) in the U.S.A. to be used by the Federal authorities in U.S.A. according to Federal Information Processing Standards Publication No. 46, Jan. 15, 1977 has been suggested by the National Bureau of Standards (NBS) in the U.S.A. This cryptological standard is denoted Data Encryption Standard (DES). It is shown in FIG. 1 of the present specification.
According to this system the plaintext is partitioned into blocks M consisting of 64 bits. These bits are, as a first step, permuted according to a fixed permutation schedule which is a function of 16 key words K.sub.1, K.sub.2 . . . K.sub.16 defined by a KEY consisting of 64 bits, 8 of which are parity check bits. After permutation a block is partitioned into two smaller blocks, a left block L.sub.0 and a right block R.sub.0, each smaller block consisting of 32 bits. After partitioning, the blocks are subjected to an iteration process of 16 steps, defined by the relations EQU L.sub.n =R.sub.n-1 EQU R.sub.n =L.sub.n-1 +f(R.sub.n-1, K.sub.n) EQU n=1, 2 . . . 16
where f is a non-linear function mapping R.sub.n-1 and the keyword K.sub.n into a 32-bits block which is added modulo-2 to L.sub.n-1. The keyword K.sub.n consists of 48 bits and is a function of KEY and the iteration step n defined by a function KS EQU K.sub.n =KS(n, KEY).
In the last step L'=R.sub.16 and R'=L.sub.16 are combined into a 64-bits block EQU M'=L'R'
which is subjected to a permutation defined to be the inverse of the permutation of M as discussed earlier. As a result of this last permutation an enciphered block KB is obtained.
Decryption is effectuated by passing KB through an identical device with the same key KEY, but in order to obtain the correct order with EQU K.sub.n =KS(17-n, KEY).
Each bit of the enciphered block KB is a function of all the bits in the plaintext block M. The DES system provides a relatively high resistance against breaking the ciphertext since the only way known today for breaking it is to try different keys in a decryption device, and to look for meaningfull plaintexts in the outputs when the enciphered blocks are applied to the inputs. The number of possible keys KEY is 2.sup.56, or about 10.sup.17.
The DES system also permits high rates of encryption and decryption since the apparatus can be fabricated in hardware using LSI chips, and these chips are already available on the market.
In spite of these qualities the DES system has been critized in several instances (cf. the "Communications of the ACM" vol. 19 (1976): 3, March, pp. 164 to 165). This criticism maintains that the resistivity to breaking a code will not be sufficient in the future (about the year 1990), depending on the rapid development of minicomputers and microcomputers and the downward trends of the costs of computations. Before the year 1990 it might be necessary to change the standard crypto, requiring heavy expenses and much labour. The DES system is not sufficiently flexible in this respect, which is also a disadvantage in another respect: it will not be possible to adjust it to fit special applications.
Another problem which is inherent in all plaintext dependent crypto systems proposed until now is that a one-bit-error in the transmission of the enciphered block normally implies that all the bits in the deciphered block will be affected. This might possibly be tolerated if a purely linguistic message is transmitted, but can not be tolerated if the message includes numerical data.
One way to avoid this drawback is to let the plaintext block contain a password which has to be identified by the receiver before the block is approved.
As a summary of drawbacks of known crypto systems connected to data communication or data storing it may be established that:
1. Plaintext independent ciphers have low resistivity against breaking. Form ciphers constitute an exception. However, they require extremely long key strings, the handling of which meets with difficulties.
2. Plaintext dependent ciphers as "stiff". They are rather expensive to change if the resistivity against breaking is regarded to be insufficient.
3. Plaintext dependent ciphers require passwords within the plaintext blocks in order that errors in the transmission caused by noise may be detected.